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Constraint programming is a family of techniques for solving combinatorial problems, where the problem is modelled 
as a set of decision variables (typically with finite domains) and a set of constraints that express relations among 
the decision variables. One key concept in constraint programming is propagation: reasoning on a constraint or set 
of constraints to derive new facts, typically to remove values from the domains of decision variables. Specialised 
propagation algorithms (propagators) exist for many classes of constraints. 

The concept of support is pervasive in the design of propagators. Traditionally, when a domain value ceases to 
have support, it may be removed because it takes part in no solutions. Arc-consistency algorithms such as AC2001 
[8] make use of support in the form of a single domain value. GAC algorithms such as GAC-Schema use a tuple 
of values to support each literal. We generalize these notions of support in two ways. First, we allow a set of tuples 
to act as support. Second, the supported object is generalized from a set of literals (GAG-Schema) to an entire 
constraint or any part of it. 

We design a methodology for developing correct propagators using generalized support. A constraint is expressed 
as a family of support properties, which may be proven correct against the formal semantics of the constraint. 
Using Curry-Howard isomorphism to interpret constructive proofs as programs, we show how to derive correct 
propagators from the constructive proofs of the support properties. The framework is carefully designed to allow 
efficient algorithms to be produced. Derived algorithms may make use of dynamic literal triggers or watched literals 
|14 | for efficiency. Finally, two case studies of deriving efficient algorithms are given. 
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1. Introduction 

In this paper we provide a formal development 
of the notion of support in constraint satisfaction. 
This notion is ubiquitous and plays a vital role in 
the understanding, development, and implemen¬ 
tation of constraint propagators, which in turn 
are the keystone of a successful constraint solver. 


While we focus on a formal development in this pa¬ 
per, our purpose is not to describe formally what is 
currently seen in constraint satisfaction. Instead, 
we generalize the notion of support so that it can 
be used in a wider variety of propagators. The re¬ 
sult is the first step in a twin programme of devel¬ 
oping a formal understanding of constraint algo¬ 
rithms, while also developing notions such as gen- 
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eralized support which should lead to improved 
constraint algorithms in the future. 

The methodology presented here for formal de¬ 
velopment of propagators is based on the proofs- 
as-programs and propositions-as-types interpre¬ 
tations of constructive type theory |TnTTH| . Like 
the earlier development in [^, the approach pre¬ 
sented here uses a constructive type theory as 
the formal framework for specifying and develop¬ 
ing programs. There, the proofs were mechanically 
checked in the Nuprl theorem prover [IT], here the 
development is formal but proofs have not been 
mechanically checked. 

1.1. Overview of the Constraint Satisfaction 
Problem 

A constraint is simply a relation over a set of 
variables. Many different kinds of information can 
be represented with constraints. The following are 
simple examples: one variable is less than another; 
a set of variables must take distinct values; task 
A must be scheduled before task B; two objects 
may not occupy the same space. It is this flexibility 
which allows constraints to be applied to many 
theoretical, industrial and mathematical problems. 

The classical constraint satisfaction problem 
(CSP) has a finite set of variables, each with a fi¬ 
nite domain, and a set of constraints over those 
variables. A solution to an instance of CSP is an as¬ 
signment to each variable, such that all constraints 
are simultaneously satisfied — that is, they are all 
true under the assignment. Solvers typically find 
one or all solutions, or prove there are no solu¬ 
tions. The decision problem (‘does there exist a so¬ 
lution?’) is NP-complete [1], therefore there is no 
known polynomial-time procedure to find a solu¬ 
tion. 

1.2. Solving CSP 

Constraint programming includes a great vari¬ 
ety of domain specific and general techniques for 
solving systems of constraints. Since CSP is NP- 
complete, most algorithms are based on a search 
which potentially explores an exponential number 
of nodes. The most common technique is to in¬ 
terleave splitting and propagation. Splitting is the 
basic operation of search, and propagation simpli¬ 
fies the CSP instance. Apt views the solution pro¬ 
cess as the repeated transformation of the CSP 


until a solution state is reached [I]. In this view, 
both splitting and propagation are transforma¬ 
tions, where propagation simplifies the CSP by re¬ 
moving domain values that cannot take part in any 
solution. A splitting operation transforms a CSP 
instance into two or more simpler CSP instances, 
and by recursive application of splitting any CSP 
can be solved. 

Systems such as Choco [2T|, IBM ILOG CPLEX 
CP Optimizer [TH] and Minion mm imple¬ 
ment highly optimized constraint solvers based 
on search and propagation, and (depending on 
the formulation) are able to solve extremely large 
problem instances quickly. 

Our focus in this paper is on propagation al¬ 
gorithms. A propagation algorithm operates on a 
single constraint, simplifying the containing CSP 
instance by removing values from variables in the 
scope of the constraint. Values which cannot take 
part in any solution are removed. For example, a 
propagator for x < y might remove all values of 
X which are greater than the largest value of y. 
Typically propagation algorithms are executed it¬ 
eratively until none can make any further simpli¬ 
fications. 


1.3. Proofs to propagators 


Researchers frequently invent new algorithms 
and (sometimes) give proofs of correctness, of vary¬ 
ing rigour. In this paper we provide a formal se¬ 
mantics of CSP. This allows us to formally char¬ 
acterize correctness of constraint propagators, and 
therefore aid the proof of correctness of propaga¬ 
tors. Following this, we lay the groundwork for 
automatic generation of correct propagators. The 
method is to write a set of support properties which 
together characterize the constraint. Fach prop¬ 
erty is inserted into a schema, and a constructive 
proof of the schema is generated. This proof is then 
translated into a correct-by-construction propaga¬ 
tor. This method is based on the concept of gen¬ 
eralized support, described in the next section. Fi¬ 
nally, we give examples of this method by deriving 
propagators for the element, occurrenceleq and 
occurrencegeq constraints. 
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1.4- Generalized support 

Central to this work is the notion of support. 
This notion is used informally in many places (for 
example, in the description of the algorithm GAC- 
Schema 0) and more formally by Bessiere . We 
generalize the concept of support, and develop a 
formal framework to allow us to produce rigorous 
proofs of the correctness of propagators that ex¬ 
ploit the generalized concept of support. 

Support is a natural concept in constraint pro¬ 
gramming. Constraint propagators remove unsup¬ 
ported values from variable domains, thus simpli¬ 
fying a CSP instance. Supported values cannot be 
removed, since they may be contained in a solu¬ 
tion. Thus a support is evidence that a value (or 
set of values) may be contained in a solution. If no 
support exists, it is guaranteed that a value (or set 
of values) is not contained in any solution. 

A support property characterises the supports of 
a particular value (or set of values) for a particu¬ 
lar constraint. For example, three support proper¬ 
ties of an element constraint are given by Gent et 
al. [14]. Each of these three properties is used to 
create a propagator, such that the three propaga¬ 
tors together achieve generalized arc consistency. 
In this instance, writing down support properties 
assisted in proving the propagators correct. 

We show that correct support properties can 
be used to create propagators that are correct by 
construction. We describe a general “propagation 
schema”, which is a description of what should be 
proved when support is lost for a given support 
property. This captures how propagators work in 
practice. They are “triggered” when it is noted 
that the current support is lost. The propagator 
then seeks to re-establish support. This might be 
possible on the current domains, or it may need to 
narrow domains (i.e. remove some values of some 
variables), or it may be that no new support is 
possible and the constraint is guaranteed to be 
false. The propagation schema specialised for a 
given support property can be proven construc¬ 
tively. The proof contains sufficient information to 
be translated into a correct propagator. We envis¬ 
age two main uses for such a propagator. For some 
constraints, it may be an efficient propagator that 
can be used directly. Otherwise, the constructed 
propagator may be used as part of an informal ar¬ 
gument for the correctness of an efficient propaga¬ 
tor. 


1.5. Related Work 

There are a number of items of related work 
with related or similar goals, however the approach 
taken in each case is quite different to our ap¬ 
proach. Apt and Monfroy |2] generate propagation 
rules such as A = s—where A is a vector 
of CSP variables, s is a vector of values within the 
initial domain of A, ?/ is a CSP variable and a is a 
value in the initial domain of y. Rules correspond 
directly to propagation in a constraint solver {ie 
when A is assigned s, a is removed from the do¬ 
main oi y). A set of rules is generated for a given 
constraint by a search over the (potentially very 
large) space of possible rules. In contrast, our ap¬ 
proach is much broader in that it is not restricted 
to generating implication rules. Our framework al¬ 
lows both the derivation of new propagators and 
proof of correctness of existing ones. 

Beldiceanu, Carlsson and Petit [4] describe con¬ 
straints using finite state automata extended with 
counters. For a constraint C, the automaton for C 
can check whether any given assignment satisfies 
C. Beldiceanu, Carlsson and Petit give a method 
to translate an automaton into a set of short con¬ 
straints (a decomposition) such that propagating 
them will propagate the original constraint C, and 
there are (in some cases) guarantees of the strength 
of propagation. The approach has been subse¬ 
quently refined, for example by linking overlap¬ 
ping prefixes and suffixes of constraints [3]. Their 
approach generates decompositions of a particular 
form, whereas in this paper our focus is on deriving 
efficient propagators. 

Jefferson and Petrie [1^ studied the properties 
of triggers, in particular comparing static triggers 
with movable triggers on a number of constraint 
classes and consistencies. They demonstrate that 
movable triggers can lead to much more efficient 
propagators. To do this they generalise the con¬ 
cept of support in a similar way to us, however 
their work treats each propagator as a monolithic 
black box whereas we are interested in construct¬ 
ing propagators and proving correctness and other 
properties of them. 

2. Definitions and Notation 

2.1. The Standard Mathematical Account 

We start by giving the standard definition of a 
constraint satisfaction problem {e.g. see M). 
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Formal definitions of the notations used here are 
given below. 

Definition 1 (Constraint Satisfaction Problem). A 
Constraint Satisfaction Problem fCSP) is given by 
a triple {X, a, C) where X is a k-tuple of variables 
X = {xi, ■ • ■, Xk) and a is a signature (a function 
a : X ^ 2^ mapping variables in X to their corre¬ 
sponding domains, such that cr(xi) C Z is the finite 
domain of variable Xi.) C is a tuple of extensional 
constraints C = {Ci, • ■ •, Cm) where each Ci is of 
the form {Y, Ry) where Y C X is a tuple of vari¬ 
ables called the schema or scope of the constraint 
Ci- Also, Ry is a relation given by a subset of the 
Cartesian products of the domains of the variables 
in the scope Y and is called the extension of Ci. 

Definition 2 (Satisfying tuple). We say a Z-tuple 
T satisfies constraint {Y,Ry) if Y C Z, and the 
projection Y[t\ is in Ry (i.e. if the projection of 
the scope Y from r is in Ry ). 

Definition 3 (Solution). A solution to a CSP 
{X, a, C) is a tuple t, with schema X , such that r 
satisfies every constraint in C. 

2.2. Variable Naming Conventions, Ranges, and 
Literals 

We use lower case letters (possibly subscripted 
or primed) from near the end of the Latin alpha¬ 
bet {w,x,y,z} to denote variables. We use Latin 
letters {z,j, fc} to denote integer indexes, and use 
the Latin letters occurring early in the alphabet 
{a,b,c,d'\ (possibly subscripted) to denote arbi¬ 
trary integer values. 

Ranges are defined as follows. 

{b...c} ^ {a G Z I b<aAa<c} 

We write 2^ to denote the powerset (set of all 
subsets) of A. A literal is a variable-value pair 
{e.g. (x,5)). 

2.3. Vectors 

We use uppercase letters W,X,Y, Z, ... to de¬ 
note vectors of variables. We use the Greek letters 
{t,t',ti,T 2 ■ ■ •} to denote tuples of integer values. 

We write finite vectors as sequences of values 
enclosed in angled brackets, {e.g. {x,y,z)). The 
empty vector is written (). We take the operation 
of prepending a single element to the left end of a 


vector as primitive and denote this operation x-Y. 
We abuse this notation by writing X-Y for the 
concatenation of vectors X and Y . We write |L"| to 
denote the length of vector Y. Given a vector Y, we 
write Y[i] to denote the (zero-based) element of 
Y. This operation is undefined if z ^ {0 ... jT| — 1}. 

Membership in a vector is defined as follows. 

zGY 3i : {0 ... |r| - 1}. Y\i] = z 

We will sometimes need to collect the set of indexes 
to an element in a vector. 

y[[z]] {*g{o...|y|-i} I F[z] = z} 

Thus, {x, y, z, x)[[a;]] = {0, 3}. Note that F[[z]] ^ 0 
iff z G F and also each index in F[[z]] is a witness 
for z GY. 

If y G F, we write Y — y to denote the vector ob¬ 
tained from F by deleting the leftmost occurrence 
of y from F. Y—y = F if z/ ^ F. We write Z—Y for 
the vector obtained by removing leftmost occur¬ 
rences of all {y G Y) from Z. Given a vector Z, we 
write {Z} to denote the set of values in Z and given 
a set of variables S we write (S) to denote a vector 
of the variables in S'; the reader may assume the 
variable in (S) occur in increasing lexicographic or¬ 
der. Intersection and unions are defined on vectors 
by taking them as sets: X n F ({-^} H {^}); 

and X UY ({-^} U {F}). We write Y C X to 
mean {F} C {3f}, i.e. that every element in F is 
in X with no stipulations on relative lengths of X 
or F or on the order of their elements. 

2 . 4 . Signatures 

A signature cr is a function mapping variables 
in X to their associated domains. Thus, signatures 
are functions cr : AT —> 2^ where in practice, the 
subset of integers mapped to is finite. Where cr and 
cr' are signatures mapping variables in X to their 
finite integer domains: 

cr' Vx cr Vx G X.a'{x) C a{x) 

We write cr' Cx cr if cr' Cx ^ and 3x G X : a'{x) C 
cr(a;), i.e. if some domain of a' is a proper subset 
of the corresponding domain of cr. We drop the 
schema subscript when the schema is clear from 
the context. We state the following without proof. 

Lemma 1 (Signature Inclusion Well-founded). The 
relation \Z is well-founded if restricted to signa¬ 
tures with finite domains. 
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2.5. Relations 

In the description of a CSP given above, a con¬ 
straint (y, Ry) is a relation where the schema Y 
gives the variable names and Ry is the set of tuples 
in the relation. 

Given a signature a mapping variables in schema 
Y to their domains, a relation {Y,Ry) is well- 
formed with respect to a iff the following condi¬ 
tions hold: 

i. All tuples in Ry have length |y| 

ii. The values in each column come from the 
specified domain for that column: 

Vt : Ay. Vi: {0 ... |y| - 1}. T\i] S cr{Y\i]) 

Schemata are vectors of variable names with no 
restriction on how many times a variable may oc¬ 
cur. Thus it is possible to have a wellformed re¬ 
lation whose schema has common names for mul¬ 
tiple columns. Given a signature a over a schema 
X, a tuple T is called a X-tuple if (A, {r}) is well- 
formed w.r.t. a. In this case, we write X-4uple^{T). 
We write X—tuple^ for the set of tuples satisfying 
this condition. 

2.5.1. Tuple Coherency 

Gonceptually, relations provide a representation 
for storing valuations (assignments of values to 
variables) and so we must distinguish between 
tuples which represent coherent valuations (even 
when their schemata may contain duplicate vari¬ 
able names) and tuples that do not. This motivates 
the following definitions. 

The wellformedness condition on relations re¬ 
quires values in columns labeled by a variable come 
from the domain of that variable, but does not 
rule out cases where a single tuple with multiple 
columns named by the same variable have different 
values in those columns. 

Example 1. Consider the relation 

((x,x,y),{(l,2,3), (1,1,3), (2,2,3)}) 

The variable x occurs twice in the schema and the 
first tuple in the schema assigns different values to 
X, this tuple is not coherent. 

An A-tuple r is coherent w.r.t. variable z iff the 
following holds. 

coh{A,4(T) Vi,j:A[[z]]. = r[j] 


We say a tuple is incoherent w.r.t. z if it is not co¬ 
herent. Note that this definition is sensible whether 
z G X 01 not. A simple consequence of the defini¬ 
tion is that an A-tuple r is incoherent w.r.t. vari¬ 
able z iff 

3i,j : A[[z]]. T[i\ ^ r[j] 

An A-tuple r is coherent with schema Y iff it is 
coherent w.r.t. all variables z GY. 

coh{A,y}(r) VzGY. coh{A, z}(t) 

We say an A-tuple is incoherent with respect to 
schema Y if it is not coherent w.r.t. Y. Only co¬ 
herent tuples count as solutions (Def. [H). 

Remark 1. In many constraint solvers, incoherent 
tuples may arise during a computation, but they 
are never counted among solutions. For example, 
the Clobal Cardinality constraint 

GCC{{x,x,y),{l,2),{{2 .. .. .2))) 

(stating that value 1 occurs two or three times, 
and value 2 occurs once or twice among vari¬ 
ables (x, X, y)) could generate the incoherent tuple 
(1,2,1) internally when using Regin’s algorithm 
f2^\H Generating incoherent tuples affects both 
the internal state of a constraint propagator, and 
the number of vertices in the search tree. 

Strictly speaking, because incoherent tuples do 
not count as solutions, the semantics could be spec¬ 
ified simply disallowing them. However, this ap¬ 
proach would rule out faithful finer grained rep¬ 
resentations of the internal states of constraint 
solvers which do generate incoherent tuples e.g. when 
searching for support. Based on this, we have de¬ 
cided to include them although this adds some com¬ 
plexity to the specification. 

2.5.2. Selection 

Selection is an operation mapping relations to 
relations generating new ones from old by filtering 
rows (tuples) based on predicates on the values in 
the tuple. 

Given a relation (y, Ry) and an index i G 
{0...|y| — 1}, and a value (say a), index selection 
is defined as follows. 

dsf 

select(i^a){RY) = {r G Ay|r[i] = a) 

^ Regin’s algorithm m is polynomial-time and enforces 
GAC iff the schema contains no duplicate variables. With 
duplicate variables, enforcing GAC on GCC is NP-Hard [6], 
therefore it is sensible to use Regin’s algorithm in this case 
even though it will not enforce GAC. 



The tuples selected from a relation by index se¬ 
lection are not guaranteed to be coherent with re¬ 
spect to schema Y. 

Given a relation {Y,Ry), a variable x, and a 
value a, value selection is defined as follows. 

selecta) i^Y ) 

{r G Ry I Vi : r[i] = a} 

Thus a tuple r is included in a selection 
select(^x=a)RY if and only if all columns of r in¬ 
dexed by X have value a, i.e. r must be coherent 
for X and those columns must have value a. 

Lemma 2. [Selection Wellformed] For all well- 
formed relations {Y, Ry) and all x, and all a G Z, 
the relation {Y, select(^x=a)RY) is well-formed. 

Finally, we define coherent selection as follows. 

selectY{Rx) '= {r G i?x I coh{X,y}(T)} 

Coherent selection selects the tuples which are co¬ 
herent with respect to Y. 

2.5.3. Projection 

Projection is an operation for creating new re¬ 
lations from existing ones by allowing for the dele¬ 
tion, reordering and duplication of columns. We 
use a generalized version here that allows du¬ 
plicate names. This is because many constraint 
solvers (including Minion [13] for example) allow 
schemata to contain duplicate names. 

Lemma 3. [Projection maps exist] For all vectors 
X and Y, if Y C X, then there exists a function 
from the indexes of Y to the indexes of X (say 
/ G {0 ... |F| — 1} —>• {0 ... |X| — 1}J such that 

y^:{0...\Y\-l}.Y[l]=X[fi^)] 

Note that there is no restriction on the relative 
lengths of X and Y, e.g. it is possible for any 
of the following to hold: |F| < |X|, |y| = |X| or 
> |X|. The projection maps are evidence wit¬ 
nessing claims of the form Y Q X. Furthermore, 
because our model allows for duplicated columns, 
there may be multiple projection maps witnessing 
an inclusion Y C X. 

Example 2. Consider 

Y = {x4,X2,X2,xi,X3) X = (xi,a;2,a:3,a:4) 
then Y C X is witnessed by the projection map: 

{(0,3), (1,1), (2,1), (3,0), (4, 2)} 


Similarly, X C Y and is witnessed by the follow¬ 
ing. 

{(0,3),(1,1),(2,4),(3,0)} 

Also {X 2 ) Q Y is witnessed by two functions, 
{( 0 , 1)1 and {{0,2)}. 

Lemma 4. [Tuple Projection] Given X and Y, if 

Y C X is witnessed by f, for each X-tuple r there 
is a vector Yf{T) : {0 ... |F| — 1} ^ h such that 

y^■.{0 ...\Y\-l}.Yf{T)\i]=T[f{i)] 

Corollary 1. [Tuple Projection Wellformed] Given 
X and Y, if Y C X is witnessed by f, for each 
X-tuple T, F/(t) is a Y-tuple, i.e. |F/(t)| = |F| 
and all values in Yf{T) are in their domains. 

Whenever Y G X, projection maps / and g wit¬ 
nessing this fact behave the same when used to in¬ 
dex into tuples coherent with Y. This is illustrated 
by the following example. 

Example 3. Suppose Y = {x,y) and X = 

{x,x,w,y,w) then there are two projections maps 
witnessing Y Q X, f = {(0,0), (1, 3)} and g = 
{(0,1), (1,3)}. Now, any length |X| = 5 tuple co¬ 
herent with Y is of the form r = (a, a, b, c, d) where 
a,b,c,d G Z. Thus, even though /(O) ^ 5 ( 0 ) the 
following equalities hold: 

'^[/(O)] = t[ 0 ] =a = r[l] = r[ 5 ( 0 )] 

This observation is made precise by the follow¬ 
ing lemma. 

Lemma 5. [Coherent Projection Unique] For all 

X and Y, and for all projection maps f and g 
witnessing Y C X, for all X-tuples t coherent with 
schema Y, Yf{T) = Yg{T). 

Notational Remark 1. Since projections Z where 
Z G X do not depend on the projection map they 
are built from when the X-tuple t is coherent with 
Z, we will simply write Z{t) in this case. 

Lemma 6. [Projection Coherent] For all X, Y and 

Z, if Y G X and if t is an X-tuple coherent with 
Z, then Y[t\ is a Y-tuple coherent with Z. 

So far we have defined projection of a single 
tuple, potentially with repeated variables in the 
schema. We lift the notation tuple-wise to relations 
as given by the following definition. 
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Definition 4. [Relation Projection] Given X and 
Y, and a wellformed relation {X,Rx), if Y Q X 
is witnessed by f, 

Yf{{X,Rx)) = 

(r,{rGZl^l I 3t'€Rx. T = Yf{T')}) 

Lemma 7. [Relation Projection WF[ For all well- 
formed relations {X,Rx) and all Y, Y C X hav¬ 
ing a projection map f, the relation Yf{{Y,RY)) 
is well-formed. 

2 . 5 . 4 . Equivalence of Constraints 

Now that we have relation projection, we are 
able to define an equivalence of constraints which 
does not depend on the ordering (or the length) of 
schemata. 

Definition 5. [Schema Equivalence[ 

X = Y ‘M X CY AY CX 

Schema equivalence requires only that X and 
Y contain the same set of variables. The order of 
variables and the number of duplicates are not re¬ 
stricted. 

Definition 6. [Constraint Equivalence] 

{X,Rx) = {Y,Ry) 

X = YA 

Y C X is witnessed by projection map f A 
Yf{selectx{{X, Rx))) = 
selectY{{Y, Ry)) 

There are several steps to the constraint equiv¬ 
alence definition. First, it is required that the 
schemata are equivalent. Then we find a projection 
map / that will be used to reorder the schema X to 
match Y. Coherent selection is used to remove the 
incoherent tuples of both constraints. The schema 
X of the first constraint is reordered to match Y. 
Finally, the two constraints are equivalent if they 
have the same set of coherent tuples. 

Incoherent tuples are removed before reordering 
the schema X, therefore any projection map / will 
produce the same set of reordered tuples (as in 
Example 0). 

2.6. Syntactic Definition of Relations 

Constraints are rarely presented extensionally 
but are instead described in some syntactic way. 
We introduce the following notation to denote the 
map from syntactic descriptions to their exten- 
sional meanings. 


Definition 7 (Semantics). Given a syntactic de¬ 
scription of a constraint (say C) over schema X 
and where a is a signature consistent with X, we 
will write \C\a to denote its extension. 

So, if we have a constraint Element(X, y, z) 
where X is a vector of variables and y and z are 
variables, and Element has a defined meaning, we 
can write |Element(X, y, z)la- to obtain its relation 
within some signature a. 

3. Propagation and Support 

Propagation is the process of narrowing the do¬ 
mains of variables so that solutions are preserved. 
This effectively shrinks the search-space and is one 
of the fundamental techniques used in constraint 
programming. It has been described im pp-17]) 
as a process of inference to distinguish it from 
search. Most work on propagation considers the 
constraints singly 

Definition 8. [Generalized Arc Consistency[ Given 
a constraint C with schema X and a signature a, 
we say a' a is Generalized Arc Consistent iff 

Vi G {0.. .|A:| - 1}. Va G cF{X\i]). 

a G a'{X[i]) o 3r G |C]cr. T[i] = a 

If a' is Generalized Arc Consistent, we say it is 
GAC. 

Corollary 2. [Generalized Arc Consistency] Given 
a constraint C and a signature a, a is GAC for C 
€ 

Vcr' □ cr. {C\a, C |C],^ 

i.e. if all signatures having strictly narrower do¬ 
mains provide strictly fewer solutions for C than 
a. 

Enforcing GAC is the strongest form of propa¬ 
gation that considers constraints singly and acts 
only on the variable domains. Other forms of con¬ 
sistency (such as bound consistency) lie between 
GAC and no change (i.e. cr' = cr). 

3.1. Support 

The concept of support was introduced in Sec¬ 
tion [T^l Support is evidence that a set of domain 
values (or a single value) are consistent for some 
definition of consistency (for example, GAC) for 


a particular constraint C. If a set of values have 
no support, then they cannot be part of any so¬ 
lution to (7, and therefore can be eliminated from 
variable domains without losing any solutions to 
the CSP. The concept of support is central to the 
process of propagation. 

In 0 pp. 37] Bessiere gives a description of when 
a tuple supports a literal. We use a more expres¬ 
sive model where support (or perhaps we should 
call it evidence) is defined by sets of tuples. In 
most cases, supports will be singletons {i.e. they 
are simply represented by a set containing a single 
tuple). However, some constraints require a set of 
tuples to express the condition for support. 

Example 4. Consider the constraint 
C = AllDifferent(xi, X 2 -, x^) 

with the signature a : xi € {1, 2}, X 2 € {1, 2, 3,4}, 
X 3 € {1,2, 3,4, 5}. This signature is GAC. Given 
Bessiere’s description of support pp. 37] (as 
used by general-purpose GAC algorithms such 
as GAC-Schema each literal in the sig¬ 

nature would be supported by a tuple contain¬ 
ing the literal. Hence every literal is contained 
in the support for C. However, not all liter¬ 
als are required; the following set is sufficient: 
L = {{xi,l),{xi,2),{x2,2),{x2,4:),(x3,2),{x3,3), 
(a;3,5)} \15\. %5.2]. While all literals in L remain 
valid, in some smaller signature tri C a, then the 
constraint remains GAG. This can be used to avoid 
calling the propagator, and therefore is important 
to capture in our definition of generalized support. 

Extensional constraints (sets of tuples) are in¬ 
terpreted disjunctively, i.e. as long as the set is 
non-empty, a solution exists. Similarly, support ex¬ 
ists if the support set is non-empty. Our general¬ 
ization of support is to model it as a set of tu¬ 
ples interpreted conjunctively i.e. thay all must be 
valid for support to exist. Thus, a generalized sup¬ 
port set is a disjunction of conjunctions (3V); we 
say support exists if at least one support is present 
in the set and all the tuples in that support are 
valid w.r.t. variable domains. 

We use the following as a simple running exam¬ 
ple throughout this section. 

Example 5. Consider the constraint x -\- y -\- z > 
2 with initial signature a : x,y,z G {0,1}. The 
signature is GAC, and the constraint is satisfied 
by three tuples: 

lx-i-y-{- z > 2ja = 

{( 0 , 1 , 1 ),( 1 , 0 , 1 ),( 1 , 1 , 0 )} 


3.1.1. Support Sets 

Definition 9. [Support property] Given a schema 
Y and signature a over Y, a support property is 
a predicate 

P : signature —)■ 2*' ' —>• B 

mapping signatures and sets of integer tuples of 
length |Tj to a Boolean. We will sometimes write 
the parameter indicating which signature Hjcr] de¬ 
pends on as a subscript P„ or drop it entirely if 
the property does not depend on a signature. 

Definition 10. [Support Set for a property P] 

Given a schema Y and a signature a over Y and 
a property of sets of Y-tuples, P^ we define the 
support set for P to be the set: 

support ^Y,cr)iP) =^ 

{S C Y-tuple,,\P,,{S) A VS" C S. -Pa(S')} 

Note that support sets are minimal w.r.t. the 
property P since they contain no subset which also 
satisfies the property. 

Consider example[Sl the constraint x-\-y-\-z > 2. 
One support property is the following. 

P^(S) 3tGS. 

^ r > 2 A t[ 0] = min(cr(a;)) 

This property admits sets of tuples of any size as 
long as one tuple satisfies the constraint, and the 
value for x in that tuple is the minimum value 
in a(x). This support property corresponds to a 
propagator that prunes the minimum value of x 
whenever there is no supporting tuple containing 
it. To enforce GAC, two other properties would be 
required for y and z. The support set for Pg- is 
support^(^,^y^,^s^{P) = {{( 0 , 1 , 1 )}}. 

A collection of properties is supported if they all 
are. 

Definition 11. [Support for a collection of proper¬ 
ties] If'P = {Pi ,..., Pfe} is a collection of proper¬ 
ties sharing schema Y and a is a signature over 
Y, we write 

support I^Y,a) i'P) =^ 

VP e P. support f^Y,a) (P) 7^ 0 

3.1.2. Admissible Properties and Triggers 

Our language for properties is unrestrained and 
allows us to specify properties that are not sen¬ 
sible for specifying propagators. Therefore an ad¬ 
missibility condition is required. We define p- 
admissibility as follows. 
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Definition 12. [P-Admissibility] We say a property 
P is p-admissible if it satisfies the following eon- 
dition. 

Vcr. Vcr' C a. 

\/S C Y—tuple 

{Pa{S) A SC Y-tuple^,) ^ P^fiS) 

In this case, we write p — admissible (P). 

P-admissibility is a kind of stability condition 
on properties that guarantees that if a Pa {S) holds 
and the domain is narrowed to a', but no tu¬ 
ple is lost from S because of the narrowing, then 
Pa'{S) must also hold. In the implementation of 
dynamic-triggered propagators it is implicitly 
assumed that support for these propagators satisfy 
this property. 

Continuing example (S] the support property 
Pais) ‘= 3t € S ■. '^T > 2 A r[0] = min(CT(x)) 
is p-admissible: > 2 does not depend on u, 

and t[0] = min(cr(a:)) can only be falsified under 
a' when the value min(cr(a::)) is not in a'ix). This 
means r is not in {x, y, z)—tuple„^, so the implica¬ 
tion is trivially satisfied. Suppose S = {(0,1,1)}. 
The only way Pa' (S) can be false is if 0 ^ a'{x). In 
this case, S contains a tuple that is not valid in a' 
therefore the p-admissibility property is trivially 
true. 

A constraint solver has a trigger mechanism 
which calls propagators when necessary. Each 
propagator registers an interest in domain events 
by placing triggers. For example, if a propagator 
placed a trigger on {x, a), then the removal of value 
a in crix) would cause the propagator to be called. 
(This is named a literal trigger |14) . or neq event 

m) 

In this paper, we focus on literal triggers which 
can be moved during search. We consider two dif¬ 
ferent types of movable literal trigger: those which 
are restored as search backtracks (named dynamic 
literal triggers), and those which are not restored 
(named watched literals [14)1. 

The definition of p-admissibility allows the use 
of dynamic literal triggers, among other types. 
Watched literals are preferable to dynamic literal 
triggers because there is no need to restore them 
when backtracking, which saves space and time. 
However, it is not always possible to apply watched 
literals. We define an additional condition on prop¬ 
erties named backtrack stability, which is sufficient 
to allow the use of watched literals. 


Definition 13. [Backtrack Stability] We say a 

property P is backtrack stable if it satisfies the 
following condition. 

V5'. Vct. Vct' E ct. 

P,a'iS)^ PaiS) 

Backtrack stability states that any non-empty 
support S under a' must remain a support for all 
signatures a where a is larger than a'. This guar¬ 
antees that a non-empty support S will remain 
valid as the search backtracks. The empty support 
indicates that the property is trivially satisfied; 
this support is not usually valid after backtracking, 
so it is excluded here. 

Continuing example jS] the support property 

Pais) '= 3tGS':^t>2At[ 0] = min((T(a:)) is 
not backtrack stable because min(cr(a;)) may not 
be the same as min(CT'(x)). 

Backtrack stability is in fact too strong: it is 
not necessary for a support to remain valid for 
all larger signatures, it is only necessary for it to 
remain valid at signatures that are reachable on 
backtracking. However it is sufficient for the pur¬ 
poses of this paper. 

Backtrack stability also depends on the form of 
properties. The element support properties pre¬ 
sented in Section 14.1.11 are not backtrack stable. 
However, they can be reformulated to be backtrack 
stable, by dividing them up as we show in Section 

sm 

For some property PaiS) the support S is ev¬ 
idence that the constraint corresponding to P is 
consistent. The intuition is that S remains valid 
evidence until domains are narrowed to the ex¬ 
tent that S % Y—tuple (where a' C a). This 
is an efficiency measure: a constraint solver can 
disregard the constraint corresponding to P until 
S % Y—tuple^ 1 . 

d&f 

For example, the property PaiS) = V& ^ 
aij).{i,b) C S is not p-admissible when j ^ i. 

Definition 14. [Properties True and Fafee] We de¬ 
fine the constant properties True and False by lift¬ 
ing them to funetions of sets of tuples. 

TrueiS) = True 

FalseiS) = False 

Lemma 8. [True singleton] For all Y and for every 
signature a over Y, 

support (y^^-^iT rue) = {0} 
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Note, that it might be assumed that if any of 
the domains in a are empty, then there should be 
no support, even for the True property. Checking 
for emptiness is not a function of support, but is 
done at a higher level. 

Lemma 9. [False Empty] For all Y and for every 
signature a over Y, 

support a-)iFalse) = 0 

Corollary 3. [True and False are p-Admissible] 

The properties True and False are p-Admissible. 

We can combine supports by taking the conjunc¬ 
tions or disjunctions of their properties. 

Definition 15. We define the conjunction and dis¬ 
junction of support properties as follows. 

{PAQ),{S) P^{S)AQ^iS) 

{PVQ)^{S) P^{S)VQ^iS) 

We state the following lemma without proof. 

Lemma 10. [A and V are p-admissible] Given 
a schema Y and signature a for Y and two p- 
admissible properties P and Q, then (P A Q) and 
{P V Q) are p-admissible as well. 

3.1.3. Extensional Support for Literals 
Definition 16. [Support Property (for a Literal)] 

Given a schema Y, a signature a over Y, and a 
literal {i = a), then: {i = a) denotes the property 
supporting this literal and is given by: 

{i = a){S) '^= 3t S S. T[i\ = a 
The support set for {i = a) is simply the set 

support ^Y,a){{i = a)). 

Corollary 4. If S £ supporta) = “)) S is 
a singleton. 

Proof. Assume S € supporta) = ^)) then 
{i = a){S) holds, i.e. we know 3t € S'.t[i] = a. 
Thus [^l > 1. Now, we assume that [^j > 1 and 
show a contradiction. There is at least one tuple 
in S, such that t[z] = a. If there is any other tuple 
t' £ S where t ^ t' then {i = a))^ —{r'}) holds as 
well, and since this set is smaller, S was not mini¬ 
mal and so was not a support as we assumed. □ 

Lemma 11. [Literals are p-admissible] Given a 
schema Y and a signature a on Y, if i £ 
{0 ... jyj — 1} and a £ afY[i]) then {i = a) is a 
P-admissible property. 

Proof. Note that {i = a) does not refer to a at all 
and so is P-admissible. □ 


3.1. j. Structural Support - Evidence 

Literal support captures support for variable- 
value pairs. Structural support is support for some 
structural condition not representable by a single 
tuple. Thus, if any tuple in a structural support is 
lost, then the support no longer holds. In example 
m (GAC AllDifferent) we gave a list of literals as 
evidence that an AllDifferent constraint is GAC. A 
list of literals would be represented as a structural 
support in our framework by using the support 
property for a literal (for each literal individually) 
then finding support for a collection of properties 
(as in Defn. fTTl) . 

Constraint solvers typically allow movable trig¬ 
gers to be placed on literals, so the connection 
between literals and our definition of generalised 
support is important for this paper. A generalised 
support may be less compact than the set of liter¬ 
als it represents. However, the implementation of 
a propagator may correctly place triggers on the 
set of literals. Generalised support is merely an 
abstraction used in our framework. 

3.2. Soundness and Gompleteness of a Gollection 
of Propagators 

Propagators narrow domains to minimize the 
search space and provide evidence that the nar¬ 
rowed domains have not eliminated any solutions. 
Constraints may be supported by a collection of 
propagators. To show that the propagators are cor¬ 
rect with respect to the constraint they support 
we show they are sound and complete. 

3.2.1. Soundness 

Definition 17. [Propagator Soundness] Given a 
constraint C with schema Y and a set of propa¬ 
gators V = {Pi, • • •, Pm} we say V is sound with 
respect to the constraint C if the following holds: 

Vcr. singleton((T) =^> 

{support IC],^ 7 ^ 0) 

Soundness says that for the most restricted non¬ 
empty signatures (ones where all domains in the 
signature have been narrowed to a singleton) the 
propagator must be able to distinguish between 
the constraint being empty or inhabited by a sin¬ 
gle tuple. If support is non-empty at a singleton 
domain then the constraint must be true there as 
well. The definition of soundness presented here is 
related to the one in [25| . 
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Thinking of support as evidence for truth, one 
might expect soundness to be characterized as fol¬ 
lows: 

Vcr. support ^ [(7],^ 7 ^ 0 

This is too strong. At a non-singleton signature, 
support is an approximation to truth. For example, 
even though a constraint may fail in a particular 
non-convex domain {i.e. the domain has gaps), a 
propagator that operates on domain bounds may 
not recognize the domain is not convex until the 
signature has been narrowed further. 

3.2.2. Completeness 

Completeness guarantees that if the meaning of 
a constraint is non-empty at a signature cr (seman¬ 
tic truth) then there is support for the family of 
properties V. The wrinkle on this scheme is that 
the support may not exist at <j itself, but only at 
some refined cr' C cr. If so, we insist that the con¬ 
straint has not lost any tuples at the refined sig¬ 
nature cr'. 

Definition 18. [Propagator Completeness] Given a 
constraint C with schema Y and a set of propaga¬ 
tors V = {Pi, • • •, Pm} we say V is complete with 
respect to the constraint C if the following holds: 

Vcr. |(7]cr 7 ^ 0 ^ 

3cr' C cr. 

{Cla C lC\a' A support 

IfV is complete we write complete{V). 

Theorem 1. [Local Completeness] Give a set of 
properties V = {Pi,---,Pfe} defined over schema 
Y, if each singleton {Pi} is complete then V is 
complete. 

Proof. If P is supported at cr, then use witness 
cr for cr' and completeness trivially holds. Sup¬ 
pose there is not support for P at cr where 
|C]]ct 7^ 0. Choose one of the Pi £ V such that 
supporta) {Pi) let cr',cr' □ cr be the signa¬ 
ture claimed to exist in the proof of completeness 
of Pi. By completeness of {Pi}, \C\a C ICJo-'- If 
there is support for P at cr' then P is complete. 
If not, iterate this process by choosing another 
Pfc S P that is not supported at cr'. The fixed-point 
of this process must yield a signature a such that 
support i^x,a) {P)- Th® fixed-point exists because C 
is a well-founded relation on signatures. □ 


Our definition of completeness ensures that a 
propagator derived from a support property does 
not fail early, therefore it is merely a correctness 
property. It is similar in intention to Maher’s defi¬ 
nition of weak completeness [20], although Maher’s 
definition only applies to singleton domains. 

Soundness and completeness as defined here are 
the minimum conditions required for a propagator 
to operate correctly, thus popular notions of con¬ 
sistency such as GAC, bound(Z) and bound(K) are 
sound and complete, and therefore are supported 
in our framework. Soundness and completeness are 
satisfied by very simple support properties such as: 

Pa{S) (-'singleton(cr) —>■ S' 7 ^ 0) 

A (singleton(cr) -7 [(7]^ 7 ^ 0) 

This property corresponds to a propagator that 
waits until all variables are assigned before check¬ 
ing the constraint. Any practical propagator is 
stronger than this. 

Soundness and completeness are not the only 
options for characterizing the correctness of a set 
of generalized support properties. For example, in 
[l4] it is shown that a set of properties imply the 
domain is GAC. Other forms of consistency such as 
bound consistency could also serve as correctness 
conditions for a set of properties. 

3.3. Formal Development of Constraint 
Propagators 

The methodology for formal development of 
propagators for a constraint C is as follows: 

i. Describe support properties {V = {Pi, ■ ■ ■ ,Pk}) 
that characterize constraint C and prove that 
they are p-admissible. 

ii. For each property Pi, give a constructive 
proof of the propagation schema given in 
Def. [ini The computational content of these 
proofs gives correct-by-construction algorithms 
for each propagator. 

iii. Prove the soundness and completeness of V 
with respect to C. This shows the collec¬ 
tion of propagators are correct w.r.t. the con¬ 
straint C. This proof often reuses the propa¬ 
gation schema proofs. 
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3.3.1. The Propagation Schema 
We present the following schematic formula 
whose constructive proofs capture the methods of 
generating support for a particular property P. 

Definition 19. [Propagation Schema] Given a schema 
X, a signature a and a p-admissible property P, 
constructive proofs of the following statement yield 
a propagator for P. 

VS' G support (^x,a) (P)- 

Vcti C a. nonempty ((Ti) => 

S ^ support^x,ai)iP) 

findNewSupport(X, P, cti) 

V noNewSupport(X, P, ai) 

When an existing support S has been lost in a sig¬ 
nature ai Q a, a new support and a new signature 
<j 2 E CTi are found in findNewSupport. Otherwise, 
noNewSupport states that there is no new support 
to be found. 

findNewSupport (X, P, CTi) '^= 

(3(72 E (7i. nonempty( ct 2 ) A 

3S' G support^x,a 2 )iP)- 
Vo's. (72 c 0-3 E CTi ^ support(^x,as) (P) = 0) 

noNewSupport (X, P, ai) 

V(72 E (7i- nonempty((T 2 ) 

supportf^x,as) (P) = 0 

We are interested in constructive proofU of the 
propagator schema when P is instantatied to indi¬ 
vidual support properties. 

Given an admissible support property P, a con¬ 
structive proof of the propagator schema yields a 
function that takes as input a set S, evidence that 
S G support ^x,a) ^ signature ai and evidence 

that (Ti E (7, evidence that S ^ support(^x ai) (P) 

and returns one of two items: 

i. ) a new signature (72, together with evidence that 

<72 E <7i, a set of tuples S' and evidence that 
S' G support(^x,as) (P) evidence that (T 2 is 
maximal. 

ii. ) Evidence that there is no support for P in cti 

or for any smaller signature. 

Lemma 12. [non-empty in propagation schema] 

In the propagation schema, if we assume the an¬ 
tecedent S ^ supporti^x ai){P) (Ti E 7 then 
S^%. 

^ There is a classical proof of propagator schema that is 
independent of the property P and carries no interesting 
computational content. 


Proof. By p-admissibility of P, if 0 G support (^x,a) (P) 
then for all (Ti E 7, 0 G support(^x,ai){P)- 

4. Generating Propagators 

In this section we present two case studies of 
applying our methodology. 

^.1. A Propagator for the Element Constraint 

The element constraint is widely useful in spec¬ 
ifying a large class of constraint problems. It has 
the form element(X, y, z) where X is a vector of 
variables and y and z are variables. The meaning 
of the element constraint is the set of all coherent 
tuples on the schema {X ■ y ■ z) of the following 
form. 

T= {vi, - ■ ■ ■ ■ ,Vk,id) 

Thus, r[fc 3- 1] = i indexes (ui, • • • ,Vk) and r[fc 3- 
2]=rW. 

Definition 20. [Element Semantics] 

|element(X, y, z)\a = {{X - y z),R) 
where 

R = {t G {X ■ y ■ z)—tuple^ \ 
k = jJVj A T[k 3- 1] G {1..A:} 

A T[k 3- 2] = t[t[A: 3- 1]]} 

The element constraint is widely used because it 
represents the very basic operation of indexing a 
vector m- For example, Gent et al. model Lang¬ 
ford’s number problem and quasigroup table gen¬ 
eration problems using element [14] . 

In [m pp. 188] three properties to establish 
GAG for the element constraint are characterized. 
We restate theorem 1 from that paper here: 

Theorem 2. [Theorem 1 of reference [S].] Given 
an element constraint of the form Element(Ar, y, z), 
domains given by a signature a are Generalized 
Arc Consistent if and only if all of the following 
hold. 

Vi G a{y). a{y) = {i} ^ 7(X[i]) C a{z) (1) 

Vi G 7 ( 2 /). 7(Ar[i]) n a{z) yf 0 (2) 

7(z) E [j a{X\i]) (3) 

iea(y) 
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4-.1.1. Support Properties 

Each of the three properties above can be char¬ 
acterized as properties of their generalized sup¬ 
ports. 

Definition 21. [Element Support Properties] Given 
a schema X and variables y and z and a signa¬ 
ture a there are three properties corresponding to 
three propagators for establishing GAC for the el¬ 
ement constraint Element(X, j/, z). Let k be \X\, 
then k -\-1 is the index of y and k -\-2 is the index 
of z in the schema {X ■ y ■ z). 

PiWKS) 

{3i,j : a{y). 

i ^ j A {k -\- 1, i) G S A {k -\- 1, j) € S) 

V Vi : cr(y). Va : a{X[i]). {k -\-2,a) G S 

P 2 [cr]{S) Vi : cr{y). 3a : cr{z). 

(i, a) G S A {k -\- 2, a) G S 

P 3 [tT](S') Va : cr(z). 3i : a{y). 

(i, a) G S A {k -\- 1, i) G S 

Note that for property Pi, the first disjunct is 
true iff the domain of the index variable y has 
more than one element, |cr(i/)| > 1. Support for 
this disjunct is a pair of literals (fc-|-l,i) and 
{k + l,j) where i,j G cr{y), i ^ Logically, 
(3i,j : a(y). i ^ j) is equivalent, but for our 
purposes we must provide p-admissible support. 
Once the domain of the index variable is a single- 
ton {a{y) = {i}), the second disjunct of Pi may 
be satisfied. This disjunct is supported by a set 
of |CT(X[i])| literals of the form {k -|- 2 , a), one lit¬ 
eral for each a G a{X[i]). This is evidence for 
o’(N'[i]) C cr(z) since fc -I- 2 is the index of z in the 
schema {X ■ y ■ z). 

Property P 2 is supported iff < 7 {X[i]) 0 cr(z) is 
non-empty for every i G cr(?/). The support is 2m 
literals where m = \cr{y)\, two for each i G <j{y). 
These have the form {i, a) and (fc -|- 2, a) where a 
is some value in cr(z). If there is no support, then 
a{X[i]) n cr(z) = 0. 

Property P 3 is supported iff cr(z) C Uieo-(y) 

The support is a set of 2m literals where m = 
|(t(z)|, two for each a G cr(z). The literals have the 
form (i,a) and {k -\- \,i) where i is some value in 

^This specification corresponds to a set of dynamic literal 
triggers m Ideally a static assignment trigger would be 
used for Pi, which would trigger the propagator when y 
is assigned. However, assignment triggers are outside the 
scope of this paper. 


a{y). If there is no support then for some a G criz), 
for alH a ^ a{X[i]). 

It is easy to prove that the three properties act 
as intended: 

Theorem 3. Given a signature a, we have: 

- (1) is true if and only if3S : Pi[(t](5') 

- (2) is true if and only ifBS : P 2 [o'](< 5 ') 

- (3) is true if and only if 35 : P 3 [cr] (5) 

Proof. The if directions are all easy. For (1), if the 

first disjunct of Pi is satisfied then \cr{y)\ > 1 so 
(1) is vacuous. If the second disjunct is satisfied, 
it ensures that a{X[i]) C cr(z). If P 2 ( 5 ) is true 
then, for each element of the domain of the index 
variable y, there is a value a G a{X[i]) fl a-{z), 
establishing (2). If P 3 {S) is true then, for any value 
a in (t(z) there is a value i of the index variable 
with a G a-{X[i]), proving that (3) holds. 

For Only if, first suppose that (1) is true. If 
\<j{y)\ > 1 then we can find i,j to satisfy the first 
disjunct of Pi, and set S = {{k -|- l,i), {k -G 1, j)}. 
Otherwise, we have a[y) = {f} and a{X[i]) C 
cr(z). We can thus set S = {{fc-|-2,a)|a G 
a(V[i])}. 

Suppose (2) is true. We have a{X[i\) ncr(z) ^ 0 
for each i G cr(y). So for each i there is thus some 
Oi with Oi G a{X[i]) O (t{z). We can thus set S = 
{{i,ai), {k -G 2,ai)\i G cr(y)}. 

Suppose (3) is true. Since cr(z) C U 

iecr(y) 

we have for each a G a(z) some ia such that 
*a £ o'(y) and a G a{X[ia]). We can thus set 

S = {{ia,a),{k-\-l,ia) \ a G aiz)}. □ 

4 . 1 . 2 . P-Admissibility and Backtrack Stability 
Following our methodology, we first prove that 
properties Pi, P 2 and P 3 are p-admissible. 

Lemma 13. [Pi is p-admissible] 

P — admissible{Pi) 

Proof. We case split on the disjuncts of Pi. The 
first disjunct requires distinct values i,j G o'(y). 
Assuming S C {X ■ y ■ z)—tuple^,, i,j G tT'(y) be¬ 
cause the two necessary literals are in S, therefore 
Pi[cr'](5) holds. 

For the second disjunct of Pi, since cr' C cr 
we can see that cr'(y) C a{y) and Vz. a'{X[i]) C 
(j{X\i]), therefore all necessary literals are present 
in S and Pi[cr'](5) holds. □ 
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Lemma 14. [P 2 is p-admissible] 

P — admissible{P 2 ) 

Proof. Since a' C tr, cr'{y) C a{y) therefore there 
are fewer (or the same) values of i to consider un¬ 
der a'. Assuming SC {X ■ y ■ z)—tuple^,, for each 
i, {k + 2,a) € S therefore a G tT'(z) and P 2 [a']{S) 
holds. □ 

Lemma 15. [P 3 is p-admissible] 

P — admissible[P'i) 

Proof. The proof is the same as above, with z and 
y exchanged, i and a exchanged, and fc -|- 1 substi¬ 
tuted for fc -I- 2. □ 

Pi, P 2 and P 3 are not backtrack stable accord¬ 
ing to Def.[T3l However, P 2 and P 3 can be straight¬ 
forwardly reformulated to be backtrack stable: the 
universal quantifier is expanded to a conjunction 
using the initial signature, then each conjunct is 
made into an individual property, subscripted by 
i 01 a respectively. For example, P 2 is transformed 
as follows. 

-P 2 ,j[o'](<S') i G a{y) ^ {3a : a{z). (i, a) G S 

A {k -t- 2, u) G 

Each of these smaller properties then requires 
two literals as support, or (if i ^ cr{y)) the empty 
set, and they are backtrack stable. Pi can be re¬ 
formulated to be backtrack stable, by expanding 
out the universal quantifiers in the same way as for 
P 2 . Pi would be subscripted by i and a, Vf : a{y) 
replaced with i G cf(y) =>, and the same for 
Va : a{X[i]). These reformulations give a large set 
of properties, so for the sake of simplicity we use 
the original Pi, P 2 and P 3 . 

4 . 1 . 3 . Proofs of the Propagation Schema 

Now that we have established p-admissibility for 
each of Pi, P 2 and P 3 we prove the instances of 
the propagator schema for each of them. 

Theorem 4 (Pi Support Generation). We consider 
Pi on constraint Element(Ai, y, z). We claim that 
Def. I JffI (propagation schema) holds for Pi. 

Proof. Let C be an element constraint of the form 
Element(Ar, y, z) where |Ai| = k and let a and ui 
be signatures mapping the variables in X.y.z to 
their respective domains. We claim the following: 


VS' G support^x,a){P)- 

Vcti C a. nonempty (cti) 

S ^ supporta,) (P) => 

findNewSupport(vA, P, ai) 

V noNewSupport(Af, P, cti) 

findNewSupport(X, P, (Ti) ‘^= 

{ 3(72 E < 7 i. nonempty((T 2 ) A 

3S' G support (^x,a 2 )iP)- 
V(T 3 .tT 2 C 0-3 C CTi => support (^x,era) (P) = 

noNewSupport(Ar, P, cti ) 

V(T 2 E ( 7 i. nonempty ( 172 ) => 
support ^x,a 2 )iP) = 0 

The proof consists of constructing a 2 and S' for 
all cases, given cri. When a 2 C (ii, we also prove 
that (72 is maximal (be. there exists no cr 3 ). 

Wi{y)\ > 1 ^ 

S' = {{k + l,mm(cri(y))), {k -I- 1, maa:(cri(y)))} 
A tT2 = CTi 
^i{y) = {*} ^ 

(72{X [f ]) = ai{z) riai{X [f]) 

A (Va; G {X ■ y ■ z). X ^ X[i] => a 2 {x) = (7i{x)) 
A S' = Ubecr 2 (x[a]){(^ + 2, b}} 

For the second case above, it remains to be shown 
that CT 2 is nonempty and maximal. We prove that 
CT 2 is maximal. For all values b G (72{X[a\), a 
supporting literal {z,b) is required in S'. There¬ 
fore, Pi implies that (72{X[a]) C 0 - 2 ( 2 :), hence 
02 (AT[a]) = o-i(z) n ai{X[a]) is maximal. For all 
other variables in, 0^2 (ic) = o-i(in), therefore a 2 is 
maximal under C. 

If ( 72 {X[i]) = 0 (be. a-i(z) no-i(Ar[i]) = 0), 0-2 
is empty. Since 0-2 is the maximal one which sat¬ 
isfies Pi, the second disjunct (noNewSupport) of 
the consequent of the schema holds. □ 

Theorem 5 (P 2 Support Generation). We consider 
P 2 on constraint'E.\emen't{X,y, z). We claim that 
Def. 11,91 (propagation schema) holds for P 2 . 

Proof. Let k = |X|, and oi and 0-2 be signatures 
mapping the variables in X.y.z to their respective 
domains. The proof is by constructing 02 and S' 
to satisfy the first disjunct of the consequent of the 
schema. 

0 - 2 ( 2 /) = [iG CTi(y) I 3a G o-i(z). a G ai{X[i])} 

'ix G {X.z) 02 (x) = CTl(x) 

5" = Uiga 2 (y){(*-«)’(* + 2 ,a)} 
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(72 is maximal: the constructed a2 is identical to 
(Ji except for the set (72 (y). For each value i of 
(72 (y), P2 requires that there exists a value a in the 
domains of and z. (72 (y) is the maximal subset 
of cri(y) which satisfies this condition, therefore (72 
is maximal under O. 

If (72 is empty, then (since (72 is maximal) the 
second disjunct of the consequent of the schema 
holds. □ 

Theorem 6 (P 3 Support Generation). We consider 
P3 on constraint Element(X, y, z). We claim that 
Def. [I^ (propagation schema) holds for P3. 

Proof. Let k = |X|, and ai and (72 be signatures 
mapping the variables in X.y.z to their respective 
domains. The proof is by constructing (72 and S' 
to satisfy the first disjunct of the consequent of the 
schema. 

(72(z) = {a G (7i(z) I 3 i G (7i{y). a G ai{X[i])} 
Va; G X.y. a2{x) = (Ti(x) 

S' = [Jaea2iz){{^W),{k + ^,i)} 

The constructed (72 is identical to ai except for the 
set (72 (z). For each value a of (72 (z), P3 requires 
that there exists an index i such that a G a2{X[i]) 
and i G ( 72 ( 1 /). (72{z) is the maximal subset of (7i (y) 
which satisfies this condition, therefore (72 is max¬ 
imal under C. 

If (72 is empty, then (since (72 is maximal) the 
second disjunct of the consequent of the schema 
holds. □ 

4 . 1 . 4 . Soundness and Completeness 

Now we prove that the conjunction of the el¬ 
ement support properties (Def. [H]) is sound and 
complete using the semantics of element fPef. [ 20 l). 
We will write Pg for the set {Pi, P 2 , P 3 }. 

Lemma 16. [Pg is sound] 

V( 7 . singleton(CT) => 

{supporta) (Pe) => |element(X,y, z)]a ^ 0 ) 

Proof. Let a be an arbitrary singleton signature. 
Since ct is a singleton it encodes a single tu¬ 
ple (say t). Assume supporti^x,a) (Pe) holds. That 
is, supports for Pi[a], P2[(7] and Pslcr] are non 
empty. Now, consider Pi. Since \(j{y)\ = I 
we know the first disjunct can not hold and 
so we must have support for the second. Since 
<^{y) yf 0 we know that there is a single tuple 
supporting the second disjunct of Pi and since 


|( 7 (A[j])| = 1, to support Pi, T must have the 
form {xi, • • •, Xi-i,a, x^+i, • • •, Xk, *, a). This same 
tuple supports P 2 and P 3 . This tuple is clearly in 
|element(A, y, z)]o. and so soundness holds. □ 

Theorem 7. [{Pi} complete] 

V( 7 . [element(X, y, z)]cr 7 ^ 0 => 

3(7' C (7. 

|element(X,y,z)]gr' = [element(X, y, z)]g. 

A support,^Y,a')({Pl}) 

Proof. Assume |element(A, y, z)]cr 7 ^ 0 for ar¬ 
bitrary ( 7 . If supportiY,a){Pi) ^ 0 then the 
theorem is trivially true, so we assume that 
support a-) (Pi) — 0 construct a signature o' 
that does not eliminate any solutions from the con¬ 
straint and in which Pi has support. 

The first disjunct of P\ is supported whenever 
\(7{y)\ > 1 and so if Pi is not supported a{y) = {i} 
or a{y) = 0 ; by assumption no domain of a is 
empty and so a{y) = {ij. To falsify the second 
disjunct of Pi when a{y) = {i}, there must be 
some a G a{X[i\) such that the literal {fc-|-2,a) 
can not be supported. This happens for any a G 
a{X[i]) where a ^ ( 7 (z). Let ai be a signature that 
is just like a except that 

( 7 i(z) = a{z) n a{X[i]) 

Since the constraint is non-empty the intersection 
is non-empty. The second disjunct of Pi supports 
this new signature so it supports Pi. Clearly cri C 
(7 and so it only remains to show that the meaning 
of the constraint does not change under the new 
signature. It is enough to show that 

|element(A, y, z)]a. C |element(A, y, z)]a.j 

Assume r G |element(A, y, zjjo-. Then t G 
{X ■ y ■ z)—tuple ^ is coherent and is of the form 

T — {x\^ * ‘ ; Xi—ij (2, Xi-j-lj ‘ A (T) 

Since r is an {X ■ y ■ z)—tuple we know rjj] G 
a{X[j]) for all j G {l..k + 2}. To construct ai 
we simply eliminated elements b G cr{z) such that 
b ^ a{X[i]) so since a G a{X[i]), a G ai{X[i\) and 
a G ( 7 i(z) and so r G |element(A, y, zjjo-i. □ 

Theorem 8 . [{P 2 } complete] 

V( 7 . [element(X, y, z)]o. 7 ^ 0 
3(7' C (7. 

[element(X, y, zjjg./ = [element(X, y, z)]g. 

A support(^Y,a'){{P2}) 
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Proof. Note that if P 2 [cr] is unsupported then 
(j{X[i\) n a{z) = 0 . But since we assume that 
|element(X, y, z)]cr 7^ 0 , this is impossible and so 
P 2 [o'] must be supported and completeness triv¬ 
ially holds. □ 

Theorem 9. [{P 3 } complete] 

Proof. If there is no support for P 3 [cr] then 

3a G cr(z). \/i G (j(y). a ^ a{X[i]) 

Just let a' be the same as a except that we remove 
all such elements from the domain of z in cr'. 

a'iz)=a(z)n y cr(X[i]) 

ie<y{y) 

Clearly a'{z) C cr(z). The elements that have been 
removed could not be included in a solution of 
|element(X, y, z)]o. and so we have lost no answers. 
Thus, we have shown P 3 is complete. □ 

Corollary 5. [Pe is complete] 

Proof. The completeness of Pe follows from local 
completeness (Thm. [IJ and the completeness of 
Pi, P 2 and P 3 . □ 

4 . 1 . 5 . Discussion 

The propagators derived here to enforce GAC 
on the element constraint are not identical to those 
presented by Gent et al. [14] . However they do fol¬ 
low the same general scheme. The main difference 
is that the propagators here use dynamic literal 
triggers in place of watched literals and a static as¬ 
signment trigger. The concept of generalized sup¬ 
port has allowed us to create these propagators 
within one formal framework. 

4-2. New Watched Literal Propagators for 
Occurrence Constraints 

The two constraints occurrenceleq(A, a, c) and 
occurrencegeq(A, a, c) (very similar to utmost 
and atleast) restrict the number of occurrences 
of a value in a vector of variables. If occ(A, a) is the 
occurrences of value a in X, occurrenceleq states 
that occ(A, a) < c and occurrencegeq states that 
occ(A, a) > c. 

Occurrence constraints arise in many problems. 
For example, in a round-robin tournament sched¬ 
ule, it may be required that no team plays more 
than twice at each stadium [26] . represented by 


occurrenceleq constraints. In car sequencing (car 
factory scheduling), occurrence constraints may be 
used to avoid placing too much demand on a work¬ 
station 

First we present the formal semantics of occur¬ 
renceleq and occurrencegeq, followed by support 
properties for the two constraints. 

Definition 22. [Occurrenceleq Semantics] 

|occurrenceleq(A, a, c)]cr = (A, Px) where 
Rx = {t G X—tuple„ I 

|{* I T\i] = a}| < c } 

Definition 23. [Occurrencegeq Semantics] 

|occurrencegeq(A, a, c)]cr = {X,Rx) where 
Rx = {t G X—tuple^ I 

|{* I 'r[i] = a}| > c } 

4 . 2 . 1 . Support Properties 

Definition 24. [Occiurence Support Properties] 

Given a schema X, value a and occurrence count c, 
Pi is the support property for the occurrenceleq 
constraint, and similarly Pg is the property for 

(3/C{l...|A|}. 

|/| = (|A|-c+l)A 
Vi Gl.3b^ a. {i, b) G S) 

V 

(3/C{l...|A|}. 

|7| = (|A|-c)A 
yiGl.a^a{X[i])) 

(3/C{l...|A|}. 

|/| = (c+l)A 
Vi G I. (i, a) G S) 

V 

(3/C{l...|A|}. 

|/|=c A 

Vi G L$b G a-{X[i]). b ^ a) 

Pg is slightly simpler, so we consider it first. 
There are two forms of support which can satisfy 
Pg, corresponding to the two disjuncts. The first 
disjunct can be satished if c -I- 1 variables have a 
in their domain, by a support set which contains 
c -|- 1 literals mapping distinct variables to a. The 
second disjunct is satisfied if c variables are set to 
a. In this case, S may be empty. 

When it is no longer possible to satisfy the first 
disjunct, a corresponding propagator must narrow 
the domains to satisfy the second disjunct, by set- 


occurrencegeq. 

Pi[a]{S) 


Pg[a]{S) 
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ting c variables to a. At this point, the constraint 
is trivially satisfied so S may be empty. 

Pi is very similar, and essentially works in the 
same way except that it requires |A| — c non¬ 
occurrences of a rather than c occurrences of a. 

4-2.2. P-Admissibility and Backtrack Stability 
We now prove that both properties meet the p- 
admissibility requirement. 

Theorem 10. [Pi P-Admissible] Pi is p-admissible 
according to Def. ITU 

Proof. We case split on the disjuncts of Pi. The 
first disjunct does not refer to cr', and (since S has 
not changed) it remains true. The second disjunct 
is satisfied by S' = 0 only when the constraint is 
a tautology. Since a ^ a{X[i]) and a' C cr, then 
a ^ a'{X[i]) and the property remains true. □ 

Theorem 11. [Pg P-Admissible] Pg is p-admissible 
according to Def. UR 

Proof. We case split on the disjuncts of Pg. The 
first disjunct does not refer to a', and (since S has 
not changed) it remains true. The second disjunct 
is satisfied by S = 0 only when the constraint is a 
tautology. Since a[X[i]) C {a} and a' C cr, then 
a'{X[i]) C {a} and the property remains true. □ 

In order for the two propagators to make use of 
watched literals, we must prove that both proper¬ 
ties are backtrack stable. The watched literals rep¬ 
resenting a support are not backtracked, so a sup¬ 
port must remain a support as search backtracks 
(and the domains are widened). 

Theorem 12. [Occurrence Backtrack Stable] The 

two occurrence support properties are backtrack 
stable according to Def. MA 

Proof. For both properties, the second disjunct is 
irrelevant because it is satisfied by S' = 0 only 
when the constraint is a tautology. The support 
0 is not required to be backtrack stable. In both 
properties the first disjunct requires a fixed num¬ 
ber (|A| — c-l-1 or c-l-1) of literals to be in S (with 
variable indices I). It is clear that for any cr' where 
cr C cr', the same I may be used to discharge the 
existential, and S will be valid w.r.t cr'. □ 


4-2.3. Proofs of the Propagation Schema 

Now we give a constructive proof of the propaga¬ 
tion schema for Pi. Recall that the computational 
content of the proof is a propagator for Pi. 

Theorem 13 {Pi Support Generation). We con¬ 
sider Pi on constraint occurrenceleq(A, a, c). 
We claim that Def. \19\ (propagation schema) holds 
for Pi- 

Proof. Let ai and <72 be signatures mapping the 
variables in X to their respective domains. S and 
(Ti C cr are universally quantified in the schema, 
therefore we use them as givens. We assume that 
S ^ supporti^x,r 7 i)i.Pi) prove the consequent by 

constructing S' and cr 2 . By lemma fT^ S' 0. The 
second disjunct of Pi would be satisfied by S = 0, 
therefore S corresponds to the first disjunct of Pi- 

S contains one literal for each index in I. At 
least one item in S is invalid (by the antecedant). 
The proof proceeds by constructing /' and corre¬ 
sponding S' and (72 to satisfy the first disjunct of 
Pi if possible. Otherwise, the second disjunct is 
satisfied by constructing cr 2 and S' = 0. 

11 = {i\ {i,b) e S A {3b ^ a. b e ai{X[i\))} 

1 2 = {i\iiIiA{3b^a.be cri(A[z]))} 

J3 = /i U I2 

\h\>{\X\-c)^ 

(/'C/ 3 A|/'| = (|A|-c+l) 

A S' = {{i,b) \ ier 

A b G ai{X[i]) A b ^ a} 

A (72 = cri) 

|/3| = (|X|-C)^ 

S' = 0A 

(Vi ^ I 3 . (T 2 {X[i]) = cri(A[i])) A 
(Vi e I 3 . cr 2 (A[i]) = cri(A[i]) \ {a}) 

(72 is maximal in both of the above cases: in the 
first case, (J 2 = cri, and in the second case only the 
necessary values are removed to satisfy the second 
disjunct of Pi- 

When I/ 3 I < (|A| — c). Pi is false and remains 
false for all (72 G ai (by construction of /i and I 2 ). 
Hence the second disjunct of the consequent of the 
schema is satisfied. □ 

The proof explicitly re-uses variable indices but 
not b values from S. This fits well with Minion’s 
watched literal implementation, which notifies the 
propagator once for each invalid literal in S. How- 
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ever, the proof does not require the use of watched 
literals, it allows many concrete implementations 
and may be used with any propagation-based 
solver. 

It is straightforward to prove the propagation 
schema for Pg, based on the proof for Pi. 

Theorem 14 {Pg Support Generation). We con¬ 
sider Pg on constraint occurrencegeq(X, a, c). 
We claim that Def. \19\ (propagation schema) holds 

for Pg. 

Proof. The proof is the same as the proof of Pi, 
with c substituted for |X| —c in all places, and (a G 
tTi(X[i])) substituted for (36 ^ a. b € ai{X[i])), 
and {a} substituted for ax{X[i\) \ {a}. □ 

This proof also re-uses variable indices from S 
and thus fits well with Minion’s watched literal 
infrastructure. 

4-.2.4- Soundness and Completeness 

Now we prove the soundness and completeness 
of both properties, and hence the correctness of 
the two propagators. 

Lemma 17. [Occurrenceleq Sound] 

VfT. singleton((T) 

{supporta) (Pi) => 

|occurrenceleq(Jr, a, c)]cr ^ 0) 

Proof. Let a be an arbitrary singleton signature. 
Since cr is a singleton it encodes a single tuple (say 
r). Assume support,a) {Pi) holds. Let 6 be the 
number of occurrences of a in r. 

Since a is singleton, the first disjunct of Pi im¬ 
plies the second disjunct. (Assume I satisfies the 
first disjunct. I' C I where |/'| = (|X| — c) is 
used to satisfy the second disjunct.) Therefore 
supporti^x,a) {Pi) implies the second disjunct of Pi 
is satisfied (by the empty support). Hence, at least 
|Ar| — c elements of t are not equal to a, so 6 < c. 
By Def. [HI Rx = {t} and the lemma holds. □ 

The proof that Pg is sound proceeds by the same 
argument, with |X| — c replaced with c, ‘not equal 
to a’ replaced with ‘equal to a’ and < replaced 
with >. 

Lemma 18. [Occurrenceleq Complete] 

C = occurrenceleq(Ai, a, c) 

Vcr. lC\a 7^ 0 ^ 

3a' E a. ICja C [Cj., 

A supporti^x,a'){Pi) 


Proof. Assume [CJa ^ 0 for arbitrary a. If 
supportf^x a){Pi) then a' = a and completeness 
trivially holds. Otherwise, by the proof of the 
propagation schema for Pi, there exists a a' C 
a (named a 2 there) such that support/^x a'){Pi)- 
Since a' ^ a, o' is constructed in the case where 
j/aj = (|Ai| — c). a' is the same as a except for 
indices /a, where the value a is removed if present. 
For all i ^ Is, a{i) = {a} therefore corresponding 
elements of all tuples t G \C\cr also equal a. No 
other element of r can be a (by Def. HI) , therefore 
no tuples are invalidated, \C\„i = and the 

lemma holds. □ 

Once again, the proof that Pg is complete follows 
the same argument. For Pg, |/a| = c and for all 
indices i G I 3 , a'{i) = {a}. For other indices, the 
constructed o' is equal to a and does not contain 
a. By Def. [23l all tuples t G \C\a must equal a at 
all indices J 3 , therefore no tuples are invalidated 
under a' and \C\„i = ICJ^- 

4-2.5. Empirical Evaluation 

The occurrence propagators implemented in 
Minion 0.12 (and, to the best of our knowledge, all 
other solvers) use static triggers. Therefore they 
may be invoked when support has not been lost. 
By comparison, these watched literal propagators 
are only invoked when one of the literals in the 
support is lost. 

We implemented the occurrenceleq(Ai, a, c) 
propagator described by the proof of Theorem [TS] 
in Minion 0.12. The propagator re-uses literals 
{i, b) from S when constructing S', allowing it 
to leave the corresponding watched literals in 
place. When a literal {i, b) in S is invalid, the 
propagator scans through X[{i.. .\X\ — 1}] then 
Ar[{0.. .1 — 1}] to find a replacement literal. The 
propagator (referred to as WatchedProp) was con¬ 
structed from the proof in less than 3 hours pro¬ 
grammer time. 

We compare against the existing occurrenceleq 
propagator (StaticProp) provided in Minion 0.12, 
which uses static assignment triggers {i.e. the 
propagator is notified when any variable in scope 
becomes assigned). 

We constructed a benchmark CSP as follows. 
We have a vector of variables X where \X\ = 100, 
and initial signature a where Vz. (j{X[i\) = {1,2}. 
The constraints are as follows: 

'ii G (80..98}. iX\i] 1]) 
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and 100 copies of the constraint: 
occurrenceleq(X, 1,90) 

The occurrence constraint is duplicated to allow 
accurate measurement of its efficiency. This CSP 
is solved to find all solutions. 

The solver branches on variables in X in index 
order, and branches for 1 before 2. Once variable 
X[80] is assigned by search, the remaining vari¬ 
ables are assigned by propagation on the ^ con¬ 
straints. As search progresses, the value of each 
variable in A [{80... 99}] alternates between 1 and 
2 . 

WatchedProp watches 11 literals of the form 
(i,2). Early in the search, most of these literals 
will necessarily involve variables A[{80... 99}], a 
pathological case for WatchedProp. As search pro¬ 
gresses, more variables in A[{0 ... 79}] will be as¬ 
signed 2, therefore the performance of Watched¬ 
Prop should improve. 

Table [T] shows that StaticProp scales approx¬ 
imately linearly in the number of search nodes 
explored, but WatchedProp speeds up as search 
progresses. With a limit of 100 million nodes, 
WatchedProp is more than twice as fast as Stat¬ 
icProp. 

4-2.6. Discussion 

We have shown that our framework can be used 
to create highly efficient watched literal propaga¬ 
tors for occurrence constraints, and that these out¬ 
perform conventional propagators that use static 
triggers. There is no requirement for the propaga¬ 
tors to maintain GAC. In this case we have proven 
that the propagators are sound and complete, 
the most basic requirements for correctness. The 
framework is entirely agnostic about whether the 
propagator maintains GAC, some form of bound 
consistency or indeed some custom consistency 
that is specihc to the type of constraint. 

5. Conclusions and Future Work 

This paper has made a number of contributions 
to the formal study of constraint solving, in partic¬ 
ular of propagation in constraint solving. We have 
shown that we can dehne formally a notion of gen¬ 
eralized support, which generalizes the standard 
notion of support in constraint satisfaction. This 
generalization allows us to work with propagators 
that might not have been seen as using support. 


Since our definition is so general, we introduced 
the notion of “p-admissible” support properties. 
The definition of p-admissibility corresponds to 
the use of a particular kind of trigger within the 
constraint solver. Triggers are events which cause 
propagators to be called within the solver, and 
p-admissibility guarantees that any event which 
might cause support to be lost is observed by some 
trigger. In this paper we have focussed on a def¬ 
inition of p-admissibility corresponding to literal 
triggers (that are activated by deletion of a partic¬ 
ular value from the domain of a variable). We have 
given a formal description of constraint propaga¬ 
tion. Given a p-admissible support property, we 
have defined the propagation schema. A construc¬ 
tive proof of the propagation schema shows how 
a propagator can be constructed to hnd new sup¬ 
port when support is lost. We have given exam¬ 
ples of this for the specific constraints “element”, 
“occurrenceleq” and “occurrencegeq”. 

Our work on propagators is not merely a for¬ 
malisation of existing standard usage in constraint 
programming. We are not aware of a dehnition of 
support as general as ours within constraints. The 
notion of generalized support should be directly 
useful in constraints, enabling a much better un¬ 
derstanding of propagation algorithms in the con¬ 
straint community. Our hypothesis is that almost 
all propagators used in constraint solvers can be 
seen as reasoning with some form of support prop¬ 
erty, even though most propagators are not cur¬ 
rently presented as doing so. Once this hypothe¬ 
sis is conhrmed, we can present propagation algo¬ 
rithms in a much more uniform fashion, as well as 
building constraint solvers to exploit these propa¬ 
gation algorithms. Thus our intended future work 
consists of two strands: first continuing the for¬ 
mal development we have started here, and second 
demonstrating the application of our work to the 
constraints community. 
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Search node limit (n) 

WatchedProp time (s) 

StaticProp time (s) 

100,000 

1.72 

1.20 

1 , 000,000 

12.40 

11.54 

10 , 000,000 

86.13 

120.31 

100 , 000,000 

518.81 

1205.07 


Table 1 

Times for the WatchedProp and StaticProp algorithms, me¬ 
dian of 16 runs on a dual processor Intel Xeon E5520 at 
2.27GHz. 
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